Jim Pingle wrote:
>> I have another soekris running 2.0-BETA2 and seeing the following in the
>> logs from it(it's not logging source or destination). Be nice to have
>> the source ip address...
>>
>> Lyle Giese
>> LCR Computer Services, Inc.
>>
>> Jun 8 21:47:21 proxy pf: 00:00:00.000350 rule 2/0(match): block in on sis0:
>> (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 243)
>> Jun 8 21:47:21 proxy pf: 00:00:00.000302 rule 2/0(match): block in on sis0:
>> (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 235)
>> Jun 8 21:47:21 proxy pf: 00:00:00.000290 rule 2/0(match): block in on sis0:
>> (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 243)
>> Jun 8 21:47:21 proxy pf: 00:00:00.000289 rule 2/0(match): block in on sis0:
>> (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 243)
>>
>
> On 2.0 the pf logs are split into two lines. You need the line after
> this to see the remainder of the log info.
>
>
That bytes! How does a simple syslog parser handle that to match the
two lines together? How can you guarentee that the next line is the
matching line and not from some other process sending stuff to syslog?
> As for the ports you are seeing, they don't look familiar to me, but
> going by the list here: https://isc.sans.org/port.html
>
> They aren't common in terms of source or destination ports seen.
>
> https://isc.sans.org/port.html?port=19295
> https://isc.sans.org/port.html?port=19296
> https://isc.sans.org/port.html?port=61891
>
> Jim
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
